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ABSTRACT 

Providing  security  in  embedded  systems  is  in  urgent  needs  while 
there  are  many  challenges  in  both  software  and  hardware  sides  that 
require  further  research  to  understand  their  implications.  This  pa- 
per discusses  microarchitectural  and  compiler  support  to  address 
a variety  of  vulnerabilities  due  to  physical  tampering,  program  be- 
havior exploits,  and  digital  rights  management  issues.  We  also  ad- 
vocate the  need  for  protecting  intellectual  properties  programmed 
in  the  growing  number  of  FPGA-based  embedded  systems. 

1.  INTRODUCTION 

While  embedded  computing  is  becoming  more  pervasive  and 
invisible,  the  ways  users  communicate  and  operate  data  on  these 
devices,  however,  are  becoming  more  vulnerable  to  malicious  ex- 
ploits. W'hen  these  data,  either  sensitive  or  insensitive,  are  manip- 
ulated in  a way  they  are  not  intended  for,  some  dire  consequence 
may  ensue.  For  example,  crackers  can  reverse-engineer  the  crypto- 
graphic keys  of  a multimedia  system  or  game  console  to  duplicate 
and  distribute  illegal  copies  of  proprietary  software  [1],  Another 
example  described  in  [2]  shows  that  well-resourced  crackers  can 
invade  one’s  privacy  by  monitoring  the  thermostat  to  determine  if 
one  is  at  home  or  not.  Even  worse,  malicious  attackers  can  change 
the  setting  of  the  thermostat  through  Internet  and  damage  pipes  or 
kill  pets  during  winter  times. 

To  provide  reliable  security  for  these  devices  to  combat  against 
various  types  of  attacks  remain  a major  challenge  to  both  hardware 
and  software  designers.  The  reality  is  that  embedded  system  de- 
signers can  no  longer  consider  security  as  an  afterthought  as  many 
robust  security  features  require  shrewd  and  thorough  consideration 
at  the  very  early  design  stage.  In  this  paper,  we  discuss  potential 
security  breach  from  a system’s  perspective  at  the  microarchitec- 
ture level  and  the  compiler  level.  We  hope  our  advocates  will  raise 
the  consciousness  of  building  security  as  an  indispensable  part  in 
the  embedded  system  design  flow. 

2.  PHYSICAL  TAMPERING 

One  of  the  greatest  concerns  on  embedded  devices  is  regarding 
malicious  exploits  via  physical  tampering  of  the  devices  when  ad- 
versaries gain  full  physical  access  to  the  hardware  and  reveal  sensi- 
tive data  or  intellectual  property  (IP)  algorithms  employed  in  these 
compromised  devices.  Obviously,  secrets  inside  these  devices  must 
be  protected  against  these  physical  attacks.  However,  the  issue  be- 
comes even  more  challenging  when  both  IP  protection  requirement 
and  real-time  constraint  need  to  be  met  for  these  embedded  applica- 
tions. To  guarantee  both  criteria,  hardware -based  encryption  sup- 
port is  generally  implemented  to  provide  satisfactory  performance 
while  caution  must  be  made  to  not  adding  too  much  cost  to  the  sys- 
tems. Nevertheless,  employing  encryption  alone  is  not  sufficient  to 
avoid  new  types  of  attacks  via  other  new  breed  of  attacks  such  as 


using  side  channels  [3,  4,  5].  Vulnerability  can  be  exploited  by  an- 
alyzing information  leaked  through  these  channels.  For  example, 
the  absolute  and  relative  locations  of  the  program  code  are  not  al- 
tered during  instruction  fetch.  In  other  words,  addresses  are  issued 
on  the  bus  as  plaintext  and  can  be  probed  by  crackers  to  reconstruct 
the  control-flow  graph  of  a program.  Such  a vulnerability  is  partic- 
ularly pronounced  in  embedded  processors,  which  typically  do  not 
employ  cache  hierarchies  for  the  requirement  of  predictable  tim- 
ing. Even  with  the  presence  of  an  instruction  cache,  a cracker  can 
still  easily  circumvent  the  cache  by  turning  off  the  cache  or  flush- 
ing the  cache  to  force  instruction  addresses  shown  on  the  external 
bus.  In  some  cases,  such  information  leakage  can  lead  to  the  reve- 
lation of  critical  information  such  as  encryption  keys  or  passwords 
of  the  compromised  systems.  Another  example  of  the  same  type  of 
exploits  is  differential  power  analysis  (or  DPA).  As  shown  in  pre- 
vious studies,  a well-equipped  and  motivated  cracker  can  perform 
non-invasive  power  (or  current)  analysis  by  using  oscilloscope  on 
an  embedded  device  such  as  Smart  Cards  to  retrieve  secrets.  The 
idea  is  based  on  the  observation  that  power  dissipation  is  strongly 
correlated  to  different  program  behavior  on  a processor,  which  can 
then  be  used  as  a signature  to  compromise  secrets.  Furthermore,  the 
growing  application  of  low-power  techniques  such  as  clock  gating 
makes  such  attacks  even  easier. 

To  combat  such  issues,  effective  and  efficient  obfuscation  tech- 
niques must  be  considered,  in  particular,  building  them  directly  into 
the  hardware  at  the  microarchitectural  and  circuit  levels.  Funda- 
mentally, obfuscation  is  aimed  to  randomize  any  trace  or  signa- 
ture exhibited  from  address  stream  or  measurable  power  or  current 
consumption,  making  distinctive  computation  operations  indistin- 
guishable. A solution  demonstrated  by  [6]  uses  an  on-chip  shuf- 
fle buffer  to  perform  randomization  for  the  address  footprint.  The 
shuffle  buffer,  essentially  an  extended  small  memory  array  but  ex- 
clusive to  the  memory,  was  designed  to  reorder  all  addresses  to  the 
memory,  obfuscating  the  address  recurrences.  Addresses  that  are 
ready  to  be  evicted  from  the  shuffle  buffer  due  to  a conflict  will 
swap  their  locations  between  the  shuffle  buffer  and  the  main  mem- 
ory. As  such,  the  same  address  request  will  appear  differently  on 
the  bus  every  time  and  the  goal  to  evenly  distributing  the  observed 
addresses  can  be  achieved.  Several  other  literature  [7,  8]  also  inves- 
tigated such  address  leakage  issues  for  different  system  platforms. 

3.  CONTROL  FLOW  VULNERABILITY 

Exploits  such  as  buffer  overruns  that  alter  the  program  behavior 
by  injecting  malicious  codes  or  manipulating  high-privileged  users 
inputs  represent  another  major  concern.  The  latter  often  interacts 
with  input  channels  such  as  keyboard  or  network  connection  and 
changes  the  intended  program  flow  to  accomplish  their  illegitimate 
actions.  Note  that  a pure  software  countermeasure  can  be  slow  and 
incapable  of  detecting  such  violation.  To  make  the  software  more 
robust  and  evident  to  such  attacks,  anomaly  detection  mechanisms 


need  to  be  established.  An  anomaly  system  is  aimed  to  monitor 
program  execution  and  raise  an  alarm  whenever  there  is  a detected 
abnormal  program  behavior  such  as  program  is  redirected  to  unin- 
tended or  undefined  program  paths. 

An  effective  mechanism  requires  to  enforce  the  control-flow  aware- 
ness via  compiler’s  analysis  and  microarchitectural  support  to  en- 
able the  protection  with  high  efficiency  and  high  accuracy.  For  in- 
stance, an  Infeasible  Path  Detection  System  (IPDS)  proposed  in  [9] 
explores  the  synergy  of  compiler  and  microarchitecture  to  counter- 
act such  memory  tampering  attacks  causing  invalid  program  con- 
trol flow.  In  the  proposed  system,  the  compiler  analyzes  correla- 
tions among  conditional  branches  to  realize  illegal  program  flow 
changes.  Then  the  collected  information  is  made  available  to  the 
runtime  system.  The  runtime  system,  with  the  support  of  small 
hardware  tables,  will  detect  dynamic  violation  of  infeasible  pro- 
gram paths  based  on  the  static  information. 

4.  DIGITAL  RIGHTS  MANAGEMENT 

With  the  emergence  of  online  commerce  on  virtual  properties 
such  as  3D  game  characters  or  arts,  to  protect  these  intellectual 
property  on  embedded  devices  and  to  restrict  their  usage  have  be- 
come a new  design  challenge.  The  recent  incident  of  hacking  Xbox  [ 1] 
furthers  the  urgent  need  to  include  native  hardware  support  for  pro- 
viding a more  robust  digital  rights  management  (DRM)  to  enable 
a tamper-proof  embedded  platform.  To  integrate  such  protection 
scheme  into  media  processing  systems  more  seamlessly  and  se- 
curely without  compromising  performance,  it  requires  that  security 
experts  and  embedded  hardware  and  software  designers  to  align 
their  tasks  together.  A DRM-enabled  3D  graphics  processor  was 
demonstrated  in  [10].  It  consists  of  two  components,  a crypto- 
graphic unit  that  decrypts  protected  IP  data,  and  a license  verifi- 
cation unit  that  authenticates  the  license  of  these  data.  Similar  to 
digital  rights  licenses  used  in  other  content  protection  scenarios, 
the  graphics  digital  rights  licenses  released  by  their  providers  spec- 
ify and  designate  the  desired  usage  of  the  graphics  data.  Under 
this  system,  exploits  are  prevented  by  restricting  the  otherwise  arbi- 
trary bindings  among  geometry  input,  textures  and  shaders  through 
the  licenses  that  define  the  legal  bindings  of  these  objects.  Dur- 
ing rendering,  the  binding  context  consisting  of  decryption  keys 
and  digests  of  protected  data  will  be  checked  and  verified  in  the 
cryptographic  hardware  units.  Additionally,  such  a DRM-enabled 
graphics  system  also  protects  the  Z-buffer,  i.e.  the  depth  informa- 
tion, to  prevent  crackers  from  reconstructing  a 3D  geometry  model 
by  dumping  out  the  Z-buffer  values. 

5.  IMPLICATIONS  OF  FPGA-BASED  DE- 
SIGN 

More  recently,  due  to  the  substantial  improvement  in  FPGA  tech- 
nology, digital  designs  using  FPGA  is  no  longer  simply  for  early 
prototype  or  proof-of-concept.  In  fact,  products  are  being  imple- 
mented using  FPGA  for  its  efficiency  (design  turnaround  time),  re- 
configurability, and  flexibility.  FPGA  is  also  an  attractive  solution 
for  implementing  cryptographic  applications  to  adapt  the  needed 
changes  and  enhancements  in  security  policies.  An  example  is 
set-top  boxes  which  use  FPGA  to  encrypt  and  decrypt  the  media 
stream  for  pay-per-view  movies.  Even  though  the  above  applica- 
tions seem  to  fall  into  two  different  groups,  yet  their  demands  in 
security  are  almost  identical  — i.e.,  how  to  protect  the  contents  im- 
plemented and  configured  in  the  FPGA?  The  contents  from  the  first 
category  are  related  to  the  IP  (i.e.  the  algorithms)  issues  of  a pro- 
prietary design,  while  the  contents  from  the  second  category  will 
contain  critical  secrets  such  as  the  cryptographic  keys.  Similar  to 
what  we  described  earlier,  FPGA-based  designs  suffer  from  physi- 
cal tampering  — from  IP  theft  by  simply  reading  bitstream  out  of 


the  FPGA  to  DPA  side-channel  attacks.  To  address  such  vulner- 
abilities, new  ideas  are  needed  for  both  FPGA  chip  vendors  and 
synthesis  tools  and  algorithms  to  protect  the  contents  programmed 
on  the  gate  arrays. 

6.  CONCLUSION 

We  are  entering  an  interesting  time  for  embedded  designers  to 
(re)consider  security  as  a top  design  priority  at  the  early  design 
stage.  The  problem  is  multi-faceted,  involving  all  layers  in  a de- 
sign including  the  system  software  (OS  and  compiler),  architecture, 
microarchitecture,  and  circuits.  Several  challenges  are  lying  ahead 
and  a holistic  solution  across  the  stack  is  in  need. 

In  this  paper,  we  are  advocating  to  integrate  inherently  high  secu- 
rity hardware  and  system  support  to  embedded  processors.  These 
schemes  typically  require  dedication  of  on-chip  hardware  resources 
being  used  to  achieve  high  efficiency  and  be  effective.  Neverthe- 
less, any  additional  hardware  feature  for  cost-constrained  embed- 
ded systems  must  be  carefully  evaluated  and  justified.  Another 
challenge  of  integrating  security  solutions  in  embedded  systems 
is  power  consumption,  which  is  already  a constraint  for  battery- 
powered  devices.  It  will  become  worse  when  obfuscation  tech- 
niques are  applied  to  randomize  and  disguise  program  behavior. 
Adding  security  to  both  compiler  and  hardware  levels  could  also 
procrastinate  the  design  turnaround  time,  a critical  cost  and  com- 
petitiveness concerns  given  the  short  time-to-market  cycles  of  these 
products.  All  these  trade-offs  need  to  be  deliberately  balanced  in 
the  design  of  future  embedded  systems  to  enable  highly  security 
processing. 
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Types  of  HW-based  Physical  Attacks 

• HW-based  physical  attacks 

-Trace  system  bus,  peripheral  bus 

- Power/Timing  analysis 

- Build  fake  devices,  device  spoof  (e.g.,  MOD- 
chip) 

- Modify  RAM 

- Replay  bus  signals,  fake  bus  signal  injection 


XBOX  with  MOD-chip  installed.  MOD- 
chip  is  a low  cost  bus  snoop  and  spoof 
device  widely  used  to  break  XBOX 
security. 
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Designing  Secure  Processors 

* HW-based  Encryption/Authentication 

- A common  strategy  to  protect  data  confidentiality  and  integrity 

- Performance,  performance,  performance 

• Deficiencies  — Side  Channels 

- Power  (or  current)  signature 

- Execution  time  distinction 

- Instruction  addresses  on  the  bus  (unprotected  control  flow) 


• Potential  Solutions 


- Randomization 

- To  be  effective,  rethink  HW  design,  raise  the  level  of  difficulty  to 
break 

- Design  trade-off  between 

• power  saving  (©) 

• execution  time,  RT  constraint  (©) 

• security  level  (©) 
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Control  Flow  Leakage  — Example  T 

Control  Flow  Graph  Address  Sequence 


Addr(BI),  Addr(B2),  Addr(B3) 
Addr(BI),  Addr(B2),  Addr(B3).... 


repeated  addresses  c=>  loop 
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Control  Flow  Leakage 


Example  2 


Control  Flow  Graph 


Address  Sequence 

Addr(BI),  Addr(B2),  Addr(B4) 
Addr(BI),  Addr(B3),  Addr(B4).... 
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Control  Flow  Leakage 


Example  2 


Control  Flow  Graph 


Address  Sequence 

Addr(BI),  Addr(B2),  Addr(B4) 
Addr(BI),  Addr(B3),  Addr(B4),... 


either  B2  or  B3  follows  B1  r=>  conditional  branch 
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Critical  Data  Leakage  via  LSI 

Value-Dependent  Conditional  Branches 


Modular  Exponentiation  Algorithm 
(Diffie-Hellman,  RSA) 

Let  S0  = 1 

For  i = 0 to  w-1  Do 
If  (bit  i of©  is  1 then 

Let  T,  = (S  *C)  mod  N 
Else 

Let  Tj  = Si 
Let  Si+1  = I2,  mod  N 
EndFor 

Return  (Rw,1)  j 

T = CEhriod  N 


Return 


• Hacker’s  interest : to  find  K (the  secret) 

• Only  2 possibilities:  keyKoTK 
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Consequences  of  Control  Flow  Side-channel 

• Leak  critical  information  of  the  application 

• By  graph  matching  the  CFG,  reused  code 
can  be  ID-ed 

• Critical  data  can  be  leaked  as  well 

• Even  partial  knowledge  can  help 
competitors 
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Side-Channel  Countermeasure 

• Randomization 

• Design  trade-off  between 

- power  saving 

- execution  time  (RT  constraint) 

- security  level 
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Solution  Example:  si  H I 

Dynamic  Control  Flow  Obfuscation 

• A Hardware  Approach 

• To  map  address  differently  every  time  it  appears 
on  the  bus 

• Relocate  blocks  to  new  location  each  time  it  is 
evicted  from  the  processor 

• Should  not  write  out  immediately  after  access  to 
avoid  correlation  being  exposed 
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Dynamic  Obfuscation  Example 

accesses  shuffle  buffer  memory 


Start — after  fill 
up  the  buffer 


1 I 2 I 3 

ttTTt 


Shuffle  buffer  1 


memory 

1 1 2 | 3 | 4 | 5 | 6 | 7 1 8 [~9 
| 4 | 5 | 6 | 7 | 8 | 9 

1 6 | 7 | 8~|~9 
Memop 


Block  Address  Table 


Addrl 

map(Addr1 ) 

Addr2 

map(Addr2) 

Addr3 

map(Addr3) 

# # 

AddrX 

map(AddrX) 
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BHK 


Title  goes  here 


15 


Challenges  in  Embedded  Design 

• Physical  Tampering 

- Tamper-resistance  and  tamper-evidence 

- Side-channel  attacks  a— a 


Digital  Right  Management 

- Protect  Virtual  properties  with  encryption  and  right 

- Need  a DRM-enabled  graphics  processor 


Implications  on  FPGA  platform 

- Use  FPGA  for  cryptographic  algorithms 

- Protect  FPGA-based  IP 

- Vulnerabilities  yet  to  be  understood 
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Thank  You! 


Home  of  the  1996  Olympic  Village 


